Tens of thousands of patients were affected by a medical data breach in New Jersey. Patient health records, collected between 1982 and 2009, were stolen from the shed of a Jersey City doctor. The story would be unremarkable except for the number of people involved and the fact that information was stored on paper. This is one of those instances where HIPAA encryption software wouldn’t have helped.
But it does raise a question: are medical professionals kidding themselves when they proclaim a data “container” of any kind (be it a laptop, a USB drive, a tub full of discarded x-rays, or a box full of files) was stolen for its resale value, and not for the data in them?
According to nj.com, the records were stolen from the grounds of a doctor’s practice. On those grounds was a storage shed. In that shed were stored medical records of patients. The thing securing this PHI data? Two latches on the shed that “had been cut with an unknown cutting tool.” (I’d bet good money the tool was a bolt cutter. They’re cheap and pretty portable. It’s why bike thieves use them).
The breach involved SSNs, dates of birth, addresses, and medical histories. Despite knowing what type of information was breached, the doctor was unable to name any of the patients when filing a police report.
There is no easy and foolproof way of securing paper documents. This is especially true for single practitioners who cannot afford the professional services of storage experts like Iron Mountain (which, despite its name and line of business, has been at the center or a number of data breaches over the years). What can an individual do? Storing something in a shed sounds like a solution, although not an ideal one.
Had it been me, I’d probably have done something similar but used a storage facility with security personnel and closed-circuit cameras. It’s not perfect but it’s better than a random shed. Plus, there is a certain degree of safety in anonymity: a shed owned by a doctor stores the doctor’s stuff, but which lot among tens or hundreds of identical others belongs to him? A crime of opportunity is harder for the latter.
Was It for the Data?
While the contents of the shed were not listed, it stands to reason that it contained something easier to flip on the streets than a bunch of documents. Yet, there’s no mention of other stuff. The patient files were all that was taken.
And with medical data theft (and illegal sale) growing at astronomical rates, the only conclusion to be garnered here is that the break-in is inextricably tied with data theft.
Things become more nebulous, however, if theft involves something with tangible value, such as a laptop full of medical data. Was the medical data the target or the laptop? Many medical organizations will say it’s the latter. But there’s no way to be sure.
Furthermore, that’s not the right question to ask. The right question is, “seeing how a laptop full of PHI was stolen, what are the chances that the PHI will be breached?” With incidents like the above, it wouldn’t be an outlier to find that thieves check the contents of the laptop to see if they managed to land a fish that’s more than it appears.
Related Articles and Sites: